Project: Building a Hacker Protection Script | Sudo Ankit

Introduction

In this tutorial, we will build a production-ready bash script that automates essential security hardening tasks. This “Hacker Protection Script” is designed to be the first thing you run on a fresh Linux installation to secure it against common attack vectors.

We’ll combine everything we’ve learned about variables, loops, conditionals, and functions into a robust tool that you can add to your personal arsenal.

Features

Our script will perform the following actions:

Update System: Ensure all packages are up to date.
Firewall Configuration: specialized ufw setup for standard ports.
SSH Hardening: Disable root login and password authentication.
Network Auditing: Scan for open ports using netstat or ss.
Log Analysis: Check for failed login attempts.

The Script Architecture

Let’s start by defining the structure of our script. We’ll use a modular approach with functions for each task.

#!/bin/bash

# ==============================================================================
# AUTHOR: Sudo Ankit
# DATE: 2026-01-10
# DESCRIPTION: Automates basic server hardening tasks.
# ==============================================================================

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

# Function to print status messages
log_info() {
    echo -e "${GREEN}[INFO] $1${NC}"
}

log_warn() {
    echo -e "${YELLOW}[WARN] $1${NC}"
}

log_error() {
    echo -e "${RED}[ERROR] $1${NC}"
}

# Check for root privileges
if [[ $EUID -ne 0 ]]; then
   log_error "This script must be run as root"
   exit 1
fi

1. System Updates

Keeping your system updated is rule #1 of cybersecurity.

update_system() {
    log_info "Updating package lists and upgrading system..."
    apt-get update -y && apt-get upgrade -y

    if [ $? -eq 0 ]; then
        log_info "System updated successfully."
    else
        log_error "Failed to update system."
        exit 1
    fi
}

2. Firewall Configuration

We’ll use ufw (Uncomplicated Firewall) to set up a basic firewall. We want to allow SSH (port 22), HTTP (port 80), and HTTPS (port 443), while denying everything else by default.

configure_firewall() {
    log_info "Configuring UFW firewall..."

    # Check if ufw is installed
    if ! command -v ufw &> /dev/null; then
        log_warn "UFW not found. Installing..."
        apt-get install ufw -y
    }

    # Set defaults
    ufw default deny incoming
    ufw default allow outgoing

    # Allow essential ports
    ufw allow ssh
    ufw allow 80/tcp
    ufw allow 443/tcp

    # Enable firewall
    echo "y" | ufw enable

    log_info "Firewall configured and enabled."
}

3. SSH Hardening

SSH is the most common entry point for attackers. We need to secure it by editing /etc/ssh/sshd_config.

harden_ssh() {
    log_info "Hardening SSH configuration..."

    # Backup current config
    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

    # Disable root login
    sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config

    # Disable password authentication (keys only)
    sed -i 's/^PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config

    # Restart SSH service
    systemctl restart sshd

    log_info "SSH hardened. Root login and password auth disabled."
}

Running the Script

Combine all these functions into a main execution block:

main() {
    log_info "Starting Hacker Protection Script..."

    update_system
    configure_firewall
    harden_ssh

    log_info "All tasks completed. System is now hardened."
}

main

Conclusion

This script is just a starting point. In a real-world scenario, you would also want to:

Install and configure Fail2Ban
Set up automatic security updates
Configure audit logging
Create a non-root user with sudo privileges if one doesn’t exist

Remember, automation is key to consistent security. By scripting these tasks, you ensure every server you deploy meets your baseline security standards.